Google Git
Sign in
edge/apid/istioApigeeAdapter/645b7bdeb261648b6fc03adb6a742ad8f9981dec^!/.
commit
645b7bdeb261648b6fc03adb6a742ad8f9981dec
[log]
author
Gautham V Kidiyoor <gauthamvk@google.com>
Thu Jun 15 23:12:18 2017 +0530
committer
Gautham V Kidiyoor <gauthamvk@google.com>
Thu Jun 15 23:12:18 2017 +0530
tree
36b3b00a187a2bc5ccdd6c5f438cccd5e4818f1e
parent
25a7ddf4faefcb2fdb05ec6c8c0a670f74e10d27 [diff]
jwt support

diff --git a/adapter/BUILD b/adapter/BUILD
index f42b913..a864253 100644
--- a/adapter/BUILD
+++ b/adapter/BUILD

@@ -12,12 +12,14 @@
         "applications.go",
         "products.go",
         "rejecter.go",
+        "jwt.go",
     ],
     deps = [
         "//adapter/config:go_default_library",
         "//common:go_default_library",
         "//external:mixer_adapter",
         "@com_github_hashicorp_go_multierror//:go_default_library",
+        "@com_github_dgrijalva_jwtgo//:go_default_library",
     ],
 )
 
@@ -33,5 +35,6 @@
     library = ":go_default_library",
     deps = [
         "//mock:go_default_library",
+
     ],
 )

diff --git a/adapter/apigeeKeyAttributes.go b/adapter/apigeeKeyAttributes.go
index 6971f98..5c5047c 100644
--- a/adapter/apigeeKeyAttributes.go
+++ b/adapter/apigeeKeyAttributes.go

@@ -19,7 +19,7 @@
 import (
 	"fmt"
 	"strconv"
-
+	"strings"
 	"github.com/apid/istioApigeeAdapter/adapter/config"
 	"istio.io/mixer/pkg/adapter"
 )
@@ -29,6 +29,7 @@
 	keyAttrsDesc = "Set attributes based on an Apigee API key"
 
 	keyParam           = "apiKey"
+	jwtParam	   = "jwtToken"
 	pathParam          = "requestPath"
 	successParam       = "success"
 	successStringParam = "successString"
@@ -47,6 +48,7 @@
 	env          adapter.Env
 	applications *applicationManager
 	products     *productManager
+	jwtVerifier  *jwtVerifier
 }
 
 func newKeyAttrsBuilder() adapter.AttributesGeneratorBuilder {
@@ -62,10 +64,13 @@
 func (b keyAttrsBuilder) BuildAttributesGenerator(env adapter.Env, c adapter.Config) (adapter.AttributesGenerator, error) {
 	cfg := c.(*config.VerifyKeyParams)
 	verifyPath, productsPath := getPaths(cfg)
+	publicKeyUrl := getPulicKeyUrl(cfg)
+
 	g := &keyAttrsGenerator{
 		env:          env,
 		applications: newApplicationManager(env, defaultAppLifetime, verifyPath),
 		products:     newProductManager(productsPath, defaultProductsFetch),
+		jwtVerifier:  newVerifier(defaultKeyFetch, publicKeyUrl),
 	}
 	env.Logger().Infof("Created Apigee attributes generator to invoke \"%s\"", verifyPath)
 	env.Logger().Infof("Checking API products using \"%s\"", productsPath)
@@ -80,14 +85,48 @@
 	out[successStringParam] = "false"
 
 	key := getString(in, keyParam)
-	if key == "" {
+	jwt_token := getString(in, jwtParam)
+
+	if key == "" && jwt_token == "" {
 		return out, nil
 	}
+
 	path := getString(in, pathParam)
 	if path == "" {
 		return out, nil
 	}
 
+	if jwt_token != "" {
+		if strings.HasPrefix(jwt_token, "Bearer") {
+			token := strings.Split(jwt_token, " ")[1]
+			jwt_token = token
+		} else {
+			g.env.Logger().Errorf("Cannot verify jwt token, Bearer missing")
+			return out, nil
+		}
+
+		claims, err := g.jwtVerifier.Verify(jwt_token)
+
+		if err != nil {
+			g.env.Logger().Errorf("Cannot verify jwt token : %s", err)
+			return out, nil
+		}
+
+		// considers token as valid if exp, iat, iss is not present
+		err = claims.Valid()
+
+		// invalid token
+		if err != nil {
+			g.env.Logger().Errorf("jwt token invalid : %s", err)
+			return out, nil
+		}
+
+		// TODO: check scopes
+
+		// prioritizing jwt over apikey (if user passes both jwt and apikey)
+		key = claims.(*apigeeClaims).ClientId
+	}
+
 	// Look up API key from cache, making HTTP request if necessary
 	app, err := g.applications.get(key)
 	if err != nil {
@@ -116,9 +155,14 @@
 	if success {
 		out[productNameParam] = products[0].Name
 	}
+
 	return out, nil
 }
 
 func (g *keyAttrsGenerator) Close() error {
 	return nil
 }
+
+func getPulicKeyUrl(cfg *config.VerifyKeyParams) (string) {
+	return fmt.Sprintf(defaultPublicKeyURL, cfg.Organization, cfg.Environment)
+}
\ No newline at end of file

diff --git a/adapter/jwt.go b/adapter/jwt.go
new file mode 100644
index 0000000..290ba62
--- /dev/null
+++ b/adapter/jwt.go

@@ -0,0 +1,112 @@
+/*
+Copyright 2017 Google Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package adapter
+
+// TODO: key rotation
+
+import(
+	// ref: https://godoc.org/github.com/dgrijalva/jwt-go ,  https://github.com/dgrijalva/jwt-go
+	jwt "github.com/dgrijalva/jwt-go"
+	"fmt"
+	"regexp"
+	"net/http"
+	"io/ioutil"
+	"time"
+)
+
+const (
+	defaultKeyFetch 	= time.Hour
+	defaultPublicKeyURL	= "https://%s-%s.apigee.net/edgemicro-auth/publicKey"
+)
+
+type apigeeClaims struct {
+	jwt.StandardClaims
+	ClientId 		string `json:"client_id,omitempty"`
+	ApplicationName        	string `json:"application_name,omitempty"`
+	Scopes   		[]string `json:"scopes,omitempty"`
+}
+
+type jwtVerifier struct {
+	parser 		  *jwt.Parser
+	refresh    	  time.Duration
+	public_key_rsa256 []byte
+	// TODO add support for other algorithms
+}
+
+// return: verifier object that can be used to verify JWT
+// input: keys
+// TODO: input HMAC and ECDSA keys
+func newVerifier(refresh time.Duration, public_key_url string) (*jwtVerifier){
+	verifier_obj_pointer := new(jwtVerifier)
+
+	// TODO: handle error
+	public_key_rsa256_raw_data, _ := getHttp(public_key_url)
+
+	// TODO: store parsed key
+	verifier_obj_pointer.public_key_rsa256   = public_key_rsa256_raw_data
+	verifier_obj_pointer.parser		 = new(jwt.Parser)
+	// TODO: add more methods based on keys supplied to this function, while adding support for other algorithms
+	verifier_obj_pointer.parser.ValidMethods = []string{"RS256"}
+
+	return verifier_obj_pointer
+}
+
+// Verify a token and output the claims
+func (this *jwtVerifier) Verify(to_verify_token string) (jwt.Claims, error) {
+
+	// get byte stream of token
+	to_verify_token_in_bytes := []byte(to_verify_token)
+
+	// trim possible whitespace from token
+	to_verify_token_in_bytes = regexp.MustCompile(`\s*$`).ReplaceAll(to_verify_token_in_bytes, []byte{})
+
+	// Parse the token
+	token, err := this.parser.ParseWithClaims(string(to_verify_token), &apigeeClaims{}, func(t *jwt.Token) (interface{}, error) {
+		// this function should return right key to parse the token
+		if(t.Method.Alg() == "RS256") {
+			return jwt.ParseRSAPublicKeyFromPEM(this.public_key_rsa256)
+		} else {
+			return nil, fmt.Errorf("signing method not supported")
+		}
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("Couldn't parse token: %v", err)
+	}
+
+	if !token.Valid {
+		return nil, fmt.Errorf("Token is invalid")
+	}
+
+	// return jwt.Claim object (https://github.com/dgrijalva/jwt-go/blob/master/claims.go#L11) (http://godoc.org/github.com/dgrijalva/jwt-go#Claims)
+	return token.Claims, err
+}
+
+func getHttp(public_key_url string) ([]byte, error) {
+	resp, err := http.Get(public_key_url)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("HTTP error fetching from url", public_key_url, " with response code ", resp.StatusCode)
+	}
+
+	return ioutil.ReadAll(resp.Body)
+}
\ No newline at end of file